Beware! A spate of malicious emails have been spammed out by online criminals, disguised as legitimate communications from the UK branch of online retail giant Amazon.

In a widespread attack, email messages have been distributed designed to trick computer users into opening an attachment disguised as information about an order for an unnamed item.

Here's part of a typical message seen by the experts at SophosLabs:

From the looks of things, the body of the email itself - which have a subject line of "Your Order with Amazon.co.uk" - is harmless.

Any links contained inside the email do indeed go to the legitimate Amazon UK website, rather than a webpage hosting malware, and there are not attempts to phish for information.

The danger arrives in the file attached to the emails. The emails carry an attached file called "Your Order Details with Amazon.zip" which contains a Trojan horse.

It's understandable that some computer users would be fooled into opening the attachment, as they might be wondering what on earth they have ordered from Amazon.

It should go without saying that Amazon UK is a completely innocent party. They didn't send out the emails (despite what the forged "from" address used in the attack might suggest), and are having their brand tarnished by the cybercriminals behind this attack.

Computer users protected by Sophos security products will find the attachment is detected proactively as Mal/BredoZp-B.

Although there has been increased talk recently of drive-by-downloads and compromised websites being used to deliver malware onto the computers of unsuspecting computer users, it's worth remembering that email-based malware is far from dead.

You should always keep your security systems up-to-date, and - because of the danger they could introduce to your computer - be suspicious of unsolicited email attachments.

I got one of these - two hours after actually pre-ordering a DVD from Amazon. The email itself was fairly convincing. The thing that convinced me that it wasn't genuine was the attachment - a zipped .EXE. Report to stop-spoofing@amazon.com.

der....opening a zip file from pay pal/amazon or any other online retailer is a no no. never ever open an .exe file if you specifucally did not ask for a zip or .exe file. you will never get an infection if you follow this rule, from an email anyway

But the email doesn't look anything like the confirmation emails we get from Amazon's UK operation! That alone should make regular users of the Amazon service extremely wary.
The emails we get from Amazon contain a full listing of our orders and the order confirmation number as open text - no 'additional' files at all.
If you get an email from Amazon in the UK with an attachment, it isn't from Amazon so delete it - especially if you have not placed an order in the last few minutes! The same applies in our experience with Amazon in the US.

I've now received another 3 - again, 2 hours after placing a pre-order with Amazon for DVDs not yet released - coincidence? This is something I haven't done before, so I wasn't surprised (first time) when the email was a bit different from normal.

I'm not silly about these things but this one had me wondering for a while. All the links were genuine but the attachment clinched it.

Make a message rule on your Email program. "All incoming mail to deleted items folder". Next, make a Maintenance rule. "Empty deleted items folder on exit program".
Click only on emails you want and drag them into your Inbox. Do not click on suspect emails (not even to delete).